I recently took part in the Homeland Security Dialogue Forum Hybrid Cloud Symposium , in association with the Center for Public Policy Innovation. A stellar lineup of government speakers presented, including Dan Jacobs from the IT Modernization Centers of Excellence at the GSA, and Brian Merrick from the Cloud Management Office at the State Department. Both joined me on the panel “How Hybrid Cloud Delivers Additional Capability to Federal Agencies.” I’d like to share some points regarding questions we received – which hopefully will stimulate ideas with other government leaders looking to improve their IT landscape. In keeping with the policy of the forum, comments that follow will not be attributed to speakers and opinions are mine.
One of the most impactful panel observations was the concept of being “risk informed” when developing and implementing a strategy for IT modernization. Too often IT security departments can feel that their role is only to strictly follow the letter of official guidance and not to interpret the guidance and look for ways to meet the intent with new technologies. One panel member described it as: “Tell me how to do it securely, don’t simply say I can’t do it.” This idea is foundational to the federal Cloud Smart strategy.
Another informative discussion was about how to manage the operational complexities of having multiple cloud providers. One attendee suggested keeping a common technology stack from the virtual machine on up, which could be implemented on premises or through different cloud providers (such as Oracle’s VMware solutions). However, an even better way to reduce the workload on your ops team is to push that complexity to the cloud providers! The more SaaS you can use, the easier your operational demands are. If SaaS products don’t quite fit your requirements, either add features with some low-code development, or migrate your existing software to PaaS—which has less operational burden than IaaS. Only when neither SaaS nor PaaS is a fit should you migrate to IaaS. That will certainly be the case in some situations, but even then, the complexity can be mitigated with automation tools such as Terraform.
Finally, a key concept discussed was that the security of the data is most important as agencies look at different hybrid architectures. If agencies have a data set that is valid for development and testing, but not sensitive, they can confidently experiment with new services and cloud providers before having to do the heavy lift of securing and certifying the environments. Once they have decided on a new technology, they have confidence it will work for their use case before they begin the ATO process.